ホーム エクスプローラ ヘルプ
サインイン
torambo.com
/
yunohost_glpi_singlesignon
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ブランチ: master
ブランチ タグ
yunohost_glpi_s...
/
front
/
callback.php

callback.php 6.4 KB
パーマリンク 履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * ---------------------------------------------------------------------
    5. 

  5.  * SingleSignOn is a plugin which allows to use SSO for auth
    6. 

  6.  * ---------------------------------------------------------------------
    7. 

  7.  * Copyright (C) 2022 Edgard
    8. 

  8.  *
    9. 

  9.  * This program is free software: you can redistribute it and/or modify
    10. 

  10.  * it under the terms of the GNU General Public License as published by
    11. 

  11.  * the Free Software Foundation, either version 3 of the License, or
    12. 

  12.  * (at your option) any later version.
    13. 

  13.  *
    14. 

  14.  * This program is distributed in the hope that it will be useful,
    15. 

  15.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    16. 

  16.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    17. 

  17.  * GNU General Public License for more details.
    18. 

  18.  *
    19. 

  19.  * You should have received a copy of the GNU General Public License
    20. 

  20.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    21. 

  21.  * ---------------------------------------------------------------------
    22. 

  22.  * @copyright Copyright © 2021 - 2022 Edgard
    23. 

  23.  * @license   http://www.gnu.org/licenses/gpl.txt GPLv3+
    24. 

  24.  * @link      https://github.com/edgardmessias/glpi-singlesignon/
    25. 

  25.  * ---------------------------------------------------------------------
    26. 

  26.  */
    27. 

  27. 

  28. //Disable CSRF token
    29. 

  29. define('GLPI_USE_CSRF_CHECK', 0);
    30. 

  30. 

  31. ini_set('display_errors', 1);
    32. 

  32. ini_set('display_startup_errors', 1);
    33. 

  33. error_reporting(E_ALL);
    34. 

  34. 

  35. include('../../../inc/includes.php');
    36. 

  36. 

  37. $provider_id = PluginSinglesignonToolbox::getCallbackParameters('provider');
    38. 

  38. 

  39. if (!$provider_id) {
    40. 

  40.    Html::displayErrorAndDie(__sso("Provider not defined."), false);
    41. 

  41. }
    42. 

  42. 

  43. $signon_provider = new PluginSinglesignonProvider();
    44. 

  44. 

  45. if (!$signon_provider->getFromDB($provider_id)) {
    46. 

  46.    Html::displayErrorAndDie(__sso("Provider not found."), true);
    47. 

  47. }
    48. 

  48. 

  49. if (!$signon_provider->fields['is_active']) {
    50. 

  50.    Html::displayErrorAndDie(__sso("Provider not active."), true);
    51. 

  51. }
    52. 

  52. 

  53. $signon_provider->checkAuthorization();
    54. 

  54. 

  55. $test = PluginSinglesignonToolbox::getCallbackParameters('test');
    56. 

  56. 

  57. if ($test) {
    58. 

  58.    $signon_provider->debug = true;
    59. 

  59.    Html::nullHeader("Login", PluginSinglesignonToolbox::getBaseURL() . '/index.php');
    60. 

  60.    echo '<div class="left spaced">';
    61. 

  61.    echo '<pre>';
    62. 

  62.    echo "### BEGIN ###\n";
    63. 

  63.    $signon_provider->getResourceOwner();
    64. 

  64.    echo "### END ###";
    65. 

  65.    echo '</pre>';
    66. 

  66.    Html::nullFooter();
    67. 

  67.    exit();
    68. 

  68. }
    69. 

  69. 

  70. // === ROBUSTER SSO-LOGIN BEGIN ===
    71. 

  71. try {
    72. 

  72.    $provider = $signon_provider->getProvider();
    73. 

  73.    $token = $provider->getAccessToken('authorization_code', [
    74. 

  74.       'code' => $_GET['code']
    75. 

  75.    ]);
    76. 

  76. 

  77.    $userinfo = $provider->getResourceOwner($token)->toArray();
    78. 

  78. 

  79.    // Debug-Log schreiben
    80. 

  80.    file_put_contents('/tmp/glpi_sso_debug.log', print_r($userinfo, true));
    81. 

  81. 

  82.    // Felder mit Fallbacks auslesen
    83. 

  83.    $email = $userinfo['email'] ?? $userinfo['preferred_username'] ?? null;
    84. 

  84.    $name  = $userinfo['name'] ?? ($email ? explode('@', $email)[0] : null);
    85. 

  85. 

  86.    if (!$email && !$name) {
    87. 

  87.       Toolbox::logInFile('ssodebug', 'Kein gültiger Benutzername/email in Azure-Antwort', true);
    88. 

  88.       Html::displayErrorAndDie(__('SSO-Login: Benutzerinformationen fehlen oder unvollständig.', 'singlesignon'));
    89. 

  89.    }
    90. 

  90. 

  91.    // Eindeutigen Benutzer in GLPI suchen
    92. 

  92.    $username = $signon_provider->fields['use_email_for_login'] ? $email : $name;
    93. 

  93.    $users = getAllDataFromTable('glpi_users', ['name' => $username]);
    94. 

  94. 

  95.    if (count($users) !== 1) {
    96. 

  96.       Toolbox::logInFile('ssodebug', "GLPI-Benutzer '$username' mehrfach oder nicht gefunden", true);
    97. 

  97.       Html::displayErrorAndDie(__('SSO-Login: Benutzer nicht eindeutig zuordenbar. Kontaktieren Sie den Admin.', 'singlesignon'));
    98. 

  98.    }
    99. 

  99. 

  100.    // Setze Session manuell (falls benötigt)
    101. 

  101.    $user = new User();
    102. 

  102.    $user->getFromDB(current($users)['id']);
    103. 

  103.    Session::init($user->getID());
    104. 

  104. 

  105. } catch (Exception $e) {
    106. 

  106.    Toolbox::logInFile('ssodebug', 'SSO-Ausnahme: ' . $e->getMessage(), true);
    107. 

  107.    Html::displayErrorAndDie(__('SSO-Fehler: ' . $e->getMessage(), 'singlesignon'));
    108. 

  108. }
    109. 

  109. // === ROBUSTER SSO-LOGIN ENDE ===
    110. 

  110. 

  111. $user_id = Session::getLoginUserID();
    112. 

  112. 

  113. $REDIRECT = "";
    114. 

  114. 

  115. if ($user_id || $signon_provider->login()) {
    116. 

  116. 

  117.    $user_id = $user_id ?: Session::getLoginUserID();
    118. 

  118. 

  119.    if ($user_id) {
    120. 

  120.       $signon_provider->linkUser($user_id);
    121. 

  121.    }
    122. 

  122. 

  123.    $params = PluginSinglesignonToolbox::getCallbackParameters('q');
    124. 

  124. 

  125.    if (isset($params['redirect'])) {
    126. 

  126.       $REDIRECT = '?redirect=' . $params['redirect'];
    127. 

  127.    } else if (isset($_GET['state']) && is_integer(strpos($_GET['state'], ";redirect="))) {
    128. 

  128.       $REDIRECT = '?' . substr($_GET['state'], strpos($_GET['state'], ";redirect=") + 1);
    129. 

  129.    }
    130. 

  130. 

  131.    $url_redirect = '';
    132. 

  132. 

  133.    if ($_SESSION["glpiactiveprofile"]["interface"] == "helpdesk") {
    134. 

  134.       if ($_SESSION['glpiactiveprofile']['create_ticket_on_login'] && empty($REDIRECT)) {
    135. 

  135.          $url_redirect = PluginSinglesignonToolbox::getBaseURL() . "/front/helpdesk.public.php?create_ticket=1";
    136. 

  136.       } else {
    137. 

  137.          $url_redirect = PluginSinglesignonToolbox::getBaseURL() . "/front/helpdesk.public.php$REDIRECT";
    138. 

  138.       }
    139. 

  139.    } else {
    140. 

  140.       if ($_SESSION['glpiactiveprofile']['create_ticket_on_login'] && empty($REDIRECT)) {
    141. 

  141.          $url_redirect = PluginSinglesignonToolbox::getBaseURL() . "/front/ticket.form.php";
    142. 

  142.       } else {
    143. 

  143.          $url_redirect = PluginSinglesignonToolbox::getBaseURL() . "/front/central.php$REDIRECT";
    144. 

  144.       }
    145. 

  145.    }
    146. 

  146. 

  147.    Html::nullHeader("Login", PluginSinglesignonToolbox::getBaseURL() . '/index.php');
    148. 

  148.    echo '<div class="center spaced"><a href="' . $url_redirect . '">' .
    149. 

  149.    __sso('Automatic redirection, else click') . '</a>';
    150. 

  150.    echo '<script type="text/javascript">
    151. 

  151.          if (window.opener) {
    152. 

  152.            window.opener.location="' . $url_redirect . '";
    153. 

  153.            window.close();
    154. 

  154.          } else {
    155. 

  155.            window.location="' . $url_redirect . '";
    156. 

  156.          }
    157. 

  157.        </script></div>';
    158. 

  158.    Html::nullFooter();
    159. 

  159.    exit();
    160. 

  160. 

  161.    // Auth::redirectIfAuthenticated();
    162. 

  162. 

  163. }
    164. 

  164. 

  165. // we have done at least a good login? No, we exit.
    166. 

  166. Html::nullHeader("Login", PluginSinglesignonToolbox::getBaseURL() . '/index.php');
    167. 

  167. echo '<div class="center b">' . __('User not authorized to connect in GLPI') . '<br><br>';
    168. 

  168. // Logout whit noAUto to manage auto_login with errors
    169. 

  169. echo '<a href="' . PluginSinglesignonToolbox::getBaseURL() . '/front/logout.php?noAUTO=1' .
    170. 

  170. str_replace("?", "&", $REDIRECT) . '" class="singlesignon">' . __('Log in again') . '</a></div>';
    171. 

  171. echo '<script type="text/javascript">
    172. 

  172.    if (window.opener) {
    173. 

  173.       $(".singlesignon").on("click", function (e) {
    174. 

  174.          e.preventDefault();
    175. 

  175.          window.opener.location = $(this).attr("href");
    176. 

  176.          window.focus();
    177. 

  177.          window.close();
    178. 

  178.       });
    179. 

  179.    }
    180. 

  180. </script>';
    181. 

  181. Html::nullFooter();
    182. 

  182. exit();
    183.